Last modified at 11/2/2013 11:46 AM by Koen Zomers


​pfSense contains a great feature called "Captive Portal". It allows you to set up an open Wifi hotspot and restrict it for access to only certain people. Similar to hotspots you find everywhere these days (i.e. trains, stations, hotels, restaurants).


A cheap though very nice piece of hardware I can greatly recommend to use with the pfSense Captive Portal functionality would be the TPLink TL-WA801ND. I'm using a version 1.2 device of this type and am not sure if the latest version 2.0 which completely looks different offers the same functionality. Check with TPLink if you're interested in buying and can't find a 1.2 anymore. What makes this device perfect for the captive portal is that it only costs about 30 euro's and it allows 1, 2, 3 or even 4 wireless identifiers to be broadcasted simultaneously from only 1 device. What makes it even better is that it also offers functionality to send data received over each of these 4 wireless identifiers using an unique VLAN tag per wireless identifier! This means for example using one of this device, you can set up both a secure access point using WPA2 and a strong encryption key as well as a less secure WPA/WPA2 access point using an easy to hand out protection key as well as an open access point without encryption where you can have the captive portal play a role in providing access to your network/the internet. pfSense is perfectly capable of dealing with these VLAN tags and separating the network traffic again and have them comply with different firewall rules per VLAN. So the highly secure VLAN might have full access where the open wifi traffic only might have TCP 80 (HTTP) and TCP 443 (HTTPS) access. Awesome stuff!

How to get it done

To enable the captive portal, simply build a (virtual) machine which is going to host the pfSense installation and configure the basics first (network card assignment, ip addresses, routing, firewall rules, etc). Once you're done with that, I would advice to create a backup of your pfSense configuration through Diagnostics -> Backup/restore in the menu at the top. Just in case something would go wrong, you can always revert to your configured basics.


Turning your pfSense server into a captive portal is as easy as going to Services -> Captive Portal in the top menu, creating a new zone with the + icon, entering any name you would like to assign to it and clicking continue.


You can now edit the zone by clicking on the E icon. In the settings you can turn on the captive portal by checking the box for Enable captive portal and selecting the network interface on which you want to turn on the captive portal. This may also very well be a network interface you created with a specific VLAN tag, so you could add this captive portal funtionality to your already existing pfSense server without having to add an extra physical network card.

The rest of the configurable options on that page speak for themselves. There's one option on that page that I want to highlight here because I had to dive into the source code of pfSense to figure out how it works exactly. I couldn't find any documentation on it. Could be that I didn't look carefully enough and took the sourcecode turn to quickly, but hey.. I'm a developer so attracted to code by nature :P

Anyway, the option I mean is called "Allow only users/groups with 'Captive portal login' priviledge set" which can be found at the authentication section on that page.


What this option functionally does is allow you to utilize both the local user database of pfSense to specify user accounts which are allowed to log on through your captive portal. Excellent option to get started without right a way making it more complicated with authenticating to external sources. When this option is checked, you can designate users in this local pfSense user database to be allowed to log on through the portal. For example the admin account you use to administer your pfSense server you typically do not want to allow to be used as a captive portal login account as well. So how to use this option? By following the next steps:

  1. Go to the User Manager by navigating to System -> User Manager in the top menu

  2. Click on the Group tab to switch to the overview with groups

  3. Click on the + icon to create a new group

  4. Fill in any name you would like to assign to this group at Group name and click Save at the button to create the new group.

  5. After hitting save, you will return to the Group manager page where you should now see your group having been added. Click on the E icon right of the row with your new group to edit the newly created group.

  6. You will now notice an extra option is available, compared to seeing this similar screen at step 4 when creating the group, namely Assigned Priviledges. Click on the + icon in this section.

  7. In the list with priviledges, select the row stating User - Services - Captive portal login. If this row is not in the list, you most likely haven't enabled the captive portal yet. You need to do this before you can assign rights for it to a group. Hit save at the bottom to add the priviledge to this group.

  8. You will now see the rights to log in to the captive portal have been added to this group. With the Group Memberships section on this page you can add or remove users to/from this group. Users in this group will be able to log on through the captive portal using their credentials.